Analysis Overview
SHA256
f18f14ec50247a31a03a220e132f9317e2ac12e3905e500ba046d394575b66ee
Threat Level: Known bad
The file r8p(4).exe was found to be: Known bad.
Malicious Activity Summary
r77 rootkit payload
Modifies security service
Modifies firewall policy service
R77 family
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Event Triggered Execution: Component Object Model Hijacking
Indicator Removal: Clear Windows Event Logs
Executes dropped EXE
Checks installed software on the system
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Detects Pyinstaller
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 08:49
Signatures
R77 family
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\shell\NormalColor\en-US\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
84s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\shell\NormalColor\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
88s
Max time network
101s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\windhawk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\windhawk.exe
"C:\Users\Admin\AppData\Local\Temp\windhawk.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
82s
Max time network
93s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\style.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
84s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\shell\NormalColor\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
86s
Max time network
94s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\instextras.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\instextras.exe
"C:\Users\Admin\AppData\Local\Temp\instextras.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\Aero.dll
| MD5 | 0cb4305037fdbb31b1763beed3564f7f |
| SHA1 | b584fd7ebffc331b2a08c6c7c74ed1193f3fa22d |
| SHA256 | 4f8ac32dd2cca85f9a018eb6a29bf0405af41a725a8a6ff6a7429704feef8d7b |
| SHA512 | e85449f23ac1742b59fb5299737cfdc1c0aae79c0c247f47fcc7887c433d085087d23e7bb521b9f63e470772e0b5e1e3b3afb9b9244f12b425d43d5205a21a4c |
C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\Crypto.dll
| MD5 | 59b7a89dbff790d69e01409dbc2a2788 |
| SHA1 | 4ebbee3ebb35add8c1a0e436a4e4c9c5ba47c02a |
| SHA256 | 17b9038e66f3f45c4e775b32ad1bf076812d1ca4149198b47f4e0eda416859b1 |
| SHA512 | c202034bfbb7aca777326e7fb336e977e79cd9ba3bc7c17e5b6ec9c0222f6df2e1675b7d6bcb3de04a84e6226b193a5e0b81af950bc659fab83d12cd2fb84c04 |
C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\nsDialogs.dll
| MD5 | b7d61f3f56abf7b7ff0d4e7da3ad783d |
| SHA1 | 15ab5219c0e77fd9652bc62ff390b8e6846c8e3e |
| SHA256 | 89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912 |
| SHA512 | 6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8 |
C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1976 wrote to memory of 1452 | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | C:\Users\Admin\AppData\Local\Temp\sym.exe |
| PID 1976 wrote to memory of 1452 | N/A | C:\Users\Admin\AppData\Local\Temp\sym.exe | C:\Users\Admin\AppData\Local\Temp\sym.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\sym.exe
"C:\Users\Admin\AppData\Local\Temp\sym.exe"
C:\Users\Admin\AppData\Local\Temp\sym.exe
"C:\Users\Admin\AppData\Local\Temp\sym.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI19762\python311.dll
| MD5 | d06da79bfd21bb355dc3e20e17d3776c |
| SHA1 | 610712e77f80d2507ffe85129bfeb1ff72fa38bf |
| SHA256 | 2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1 |
| SHA512 | e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\base_library.zip
| MD5 | 6e706e4fa21d90109df6fce1b2595155 |
| SHA1 | 5328dd26b361d36239facff79baca1bab426de68 |
| SHA256 | ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998 |
| SHA512 | c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34 |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_ssl.pyd
| MD5 | e5b1a076e9828985ea8ea07d22c6abd0 |
| SHA1 | 2a2827938a490cd847ea4e67e945deb4eef8cbb1 |
| SHA256 | 591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b |
| SHA512 | 0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_uuid.pyd
| MD5 | b21b864e357ccd72f35f2814bd1e6012 |
| SHA1 | 2ff0740c26137c6a81b96099c1f5209db33ac56a |
| SHA256 | ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53 |
| SHA512 | 29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_hashlib.pyd
| MD5 | ba682dfcdd600a4bb43a51a0d696a64c |
| SHA1 | df85ad909e9641f8fcaa0f8f5622c88d904e9e20 |
| SHA256 | 2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd |
| SHA512 | 79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636 |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\select.pyd
| MD5 | e07ae2f7f28305b81adfd256716ae8c6 |
| SHA1 | 9222cd34c14a116e7b9b70a82f72fc523ef2b2f6 |
| SHA256 | fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c |
| SHA512 | acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_lzma.pyd
| MD5 | 3273720ddf2c5b75b072a1fb13476751 |
| SHA1 | 5fe0a4f98e471eb801a57b8c987f0feb1781ca8b |
| SHA256 | 663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948 |
| SHA512 | 919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_bz2.pyd
| MD5 | 37eace4b806b32f829de08db3803b707 |
| SHA1 | 8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9 |
| SHA256 | 1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b |
| SHA512 | 1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_socket.pyd
| MD5 | 485d998a2de412206f04fa028fe6ba90 |
| SHA1 | 286e29d4f91a46171ba1e3c8229e6de94b499f1d |
| SHA256 | 8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76 |
| SHA512 | 68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\libssl-3.dll
| MD5 | 19a2aba25456181d5fb572d88ac0e73e |
| SHA1 | 656ca8cdfc9c3a6379536e2027e93408851483db |
| SHA256 | 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006 |
| SHA512 | df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337 |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_decimal.pyd
| MD5 | e4e032221aca4033f9d730f19dc3b21a |
| SHA1 | 584a3b4bc26a323ce268a64aad90c746731f9a48 |
| SHA256 | 23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c |
| SHA512 | 4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c |
C:\Users\Admin\AppData\Local\Temp\_MEI19762\unicodedata.pyd
| MD5 | 5cc36a5de45a2c16035ade016b4348eb |
| SHA1 | 35b159110e284b83b7065d2cff0b5ef4ccfa7bf1 |
| SHA256 | f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20 |
| SHA512 | 9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
146s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\style.dll,#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
82s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\shell\NormalColor\shellstyle.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
84s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
85s
Max time network
102s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Classic-W11\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
144s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\shell\NormalColor\en-US\shellstyle.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ThemeSwitcher.exe
"C:\Users\Admin\AppData\Local\Temp\ThemeSwitcher.exe"
Network
Files
memory/4580-0-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp
memory/4580-1-0x00000000001C0000-0x00000000001F6000-memory.dmp
memory/4580-2-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 138aec8421a680077f437b52b68e92e0 |
| SHA1 | 5de46a5f53747e84e4a741d3a685642c0fd5c911 |
| SHA256 | 7f4146d11b118ac61fce0f23d9b8e7bc0d49c509dbe70fa703d86bc9c5b72ebc |
| SHA512 | 11d87e989f2af2c99aef3e6022191161122c0c7394c699ce04350bef8608cf49b118589db5cf4d75eb7a5eeee9556782dc9432a0890cf4e53e485c5d8531eb5f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | b264deaacbfcacebaa7993791bafb7fa |
| SHA1 | 22e11e044127c86cf189eaa1a2accfb69cfc09df |
| SHA256 | eb4cd12a792e06160fe8f8db0e58070356bda820051ab3eaa62c056e4faf55a6 |
| SHA512 | 81f107e8323d57ce3946b342307dc86b05ff3ffad514df0e11e00eb5229986b2df9d0781c6420b3da84ab05c94ceffc8f672377e7d1e0b5f6ef66af12e0e1049 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
| MD5 | 5e53216fe351e47b1e42a5b993e9cffd |
| SHA1 | 89865999cd3175542dd5b0c3b382d283cf5f6dc2 |
| SHA256 | 306499e9d20226befd4ff48fe27ae704a3586f0c138fa5088850e7abc400d2ec |
| SHA512 | 5df18280a0da242b7b988f70ff6ff60522ef6c17b29cf1737f6e8438da9627ce7007151dc1d7d0584ec38f5b371ed5add7058a468ea31eea3ab282af0879d2c1 |
memory/4580-708-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp
memory/4580-757-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp
memory/4580-758-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
146s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
84s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\shell\NormalColor\shellstyle.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
84s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Classic-Redstone\style.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\shell\NormalColor\en-US\shellstyle.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
85s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\shell\NormalColor\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\style.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 09:08
Platform
win11-20241007-en
Max time kernel
1051s
Max time network
445s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{6EF4679F-6D06-4376-A0A5-7A826C6B4544} = "v2.31|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{EF559C60-57C3-4BAB-BC86-68F96A3C7681} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{E42763C8-14B3-440A-9AF8-9AA1F467552E} = "v2.31|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Security=Authenticate|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{AE519E9D-103E-4FA5-9D0F-F148FDE26CDD} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Security=Authenticate|" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{A133FF5E-DC82-4F5A-B2BA-ACB59C0F1621} = "v2.31|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{BAA6A174-ECD1-4C14-B7C0-8A6B49A0FB9F} = "v2.31|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{17FCB4D4-7546-4AB8-8AB8-5A0B919280BB} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{67B49050-B8AF-4EA7-BAF8-896F755F7F22} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{4E4F5702-BAE2-457F-A569-A4E83ED7A71D} = "v2.31|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|" | C:\Windows\system32\svchost.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000S-1-5-21-3587106988-279496464-3440778474-1000 = "v2.31|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|M=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|D=C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\|PFN=Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy|" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000S-1-5-21-3587106988-279496464-3440778474-1000 = "v2.31|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|M=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "543" | C:\Windows\system32\svchost.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\GlobalFlag = "256" | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\VerifierDlls = "SecureUxTheme.dll" | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Admin.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Savanna\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Sonata\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Calligraphy\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Cityscape\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Heritage\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Landscapes\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Quirky\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Raga\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Afternoon\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Characters\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Delta\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Festival\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Garden\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\duires.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\system32\SecureUxTheme.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\he-IL\display.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\ar-sa\gameux7.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Cityscape\Windows Battery Low.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Landscapes\Windows Print complete.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Styles\W7Aero-W11\style.msstyles | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\classicfix-themecpl.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\tr-TR\shell7.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Savanna\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\StartIsBack32.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\ExplorerFrame21332.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\sl-si\gameux7.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-w7-remove-ms-store-open-with_1.0.0_127284.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\ThemeFiles\Redstone\r8p-w7-Landscapes.theme | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\glass8-1607.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\magnify.exe.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\ModsSource\[email protected] | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Calligraphy\Windows Print complete.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Characters\Windows Feed Discovered.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Quirky\Windows Print complete.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Cursors\aero_select.cur | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\el-gr\gameux7.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Landscapes\Windows Navigation Start.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\1.5.1\64\windhawk.lib | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-w7classic-sib-config_1.0.0_611781.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\fontext.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\ModsSource\[email protected] | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Sonata\Windows Information Bar.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Cursors\aero_nesw.cur | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Garden\Windows Logoff Sound.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Mods\64\windhawk-mod-shim.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\SmartScreenSettings.exe.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Cursors\aero_ew.cur | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Raga\Windows Logoff Sound.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Wallpaper\Windows\Harmony.jpg | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Symbols\twinui.pcshell.pdb\136C29961CF30C574958362491C73CFC1\twinui.pcshell.pdb | C:\Windows\Revert8Plus\sym.exe | N/A |
| File created | C:\Windows\Revert8Plus\Cursors\aero_move.cur | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\tr-tr\gameux7.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Calligraphy\Windows Ding.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Raga\Windows Navigation Start.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Savanna\Windows Logoff Sound.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Sonata\Windows Default.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\1.5.1\32\windhawk.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Windows\Windows Error.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-vista-sib-loader_1.0.0_238877.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\UserAccountControlSettings.exe.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\devmgr.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Windows\Windows Recycle.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Styles\W7Basic-W11\shell\NormalColor\en-US\shellstyle.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Symbols\uxtheme.pdb\CFE07DF3A2489E01E6F8D4D9196EA0AF1\uxtheme.pdb | C:\Windows\Revert8Plus\sym.exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\1.5.1\32\symsrv.yes | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\batmeter.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\sr-Latn-CS\recovery.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Delta\Windows Hardware Insert.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Resources\Themes\r8p-vista-Default.theme | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\bthprops.cpl | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\ModsSource\[email protected] | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Styles\W7Dark2-W11\shell\NormalColor\en-US\shellstyle.dll.mui | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Mods\32\local@r8p-w7-sib-loader_1.0.0_352950.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\SmartScreenSettings.exe.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\ModsSource\[email protected] | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\SoundSchemes\Festival\Windows User Account Control.wav | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Wallpaper\Landscapes\1.jpg | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| File created | C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-w7-accent-color-sync_1.53_198080.dll | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile | C:\Windows\system32\winlogon.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-30579" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\Command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\Command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6}\ = "ProfileNotifyHandler Class" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Extended | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Extended | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\Instance\InitPropertyBag\ResourceID = "1001" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\MuiVerb = "@twinui.dll,-1321" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\Command | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133773441497184451" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ShellFolder\Attributes = "672137216" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\MuiVerb = "@shell32.dll,-32960" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2e7583c7-7eba-4a1a-8468-d03d28477e6f}\InProcServer32\ = "%SystemRoot%\\Revert8Plus\\Engine\\ModsWritable\\gameux\\migration\\gameuxmig.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder\Attributes = "2684354560" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\Revert8Plus\\Engine\\ModsWritable\\gameux\\gameux7.dll" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\Command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\InprocServer32\ = "@%SystemRoot%\\Revert8Plus\\R8PCPL.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7B2FB72-D728-49B3-A5F2-18EBF5F1349E} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE695-542D-46F6-AEAB-FA2F1B2102D3}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ShellFolder\Attributes = "2684354560" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\ShellFolder\Attributes = "2684354560" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F382DA49-9148-4a22-AF78-C378DFC32D02}\ = "MS_InstalledGameProv Class" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ = "StartIsBack All Programs Folder" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\ = "Taskbar Pin" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder\Attributes = "2684354560" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\MuiVerb = "@shell32.dll,-32960" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Position = "Bottom" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133773441517579107" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6}\InprocServer32\ = "C:\\Windows\\Revert8Plus\\Engine\\ModsWritable\\gameux\\gameux7.dll" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\SeparatorBefore = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\Instance\InitPropertyBag | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\r8p(4).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| N/A | N/A | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| N/A | N/A | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| N/A | N/A | C:\ProgramData\Windhawk\Windhawk.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\r8p(4).exe
"C:\Users\Admin\AppData\Local\Temp\r8p(4).exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName|findstr .|findstr /v displayName|findstr /v /c:"Windows Defender"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Windows\SysWOW64\findstr.exe
findstr .
C:\Windows\SysWOW64\findstr.exe
findstr /v displayName
C:\Windows\SysWOW64\findstr.exe
findstr /v /c:"Windows Defender"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\Revert8Plus";Add-MpPreference -ExclusionPath "C:\ProgramData\Windhawk";Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\Windows Aero";Add-MpPreference -ExclusionPath "C:\Windows\Temp\r8p.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\Revert8Plus\R8PCPL.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Windows\Revert8Plus\R8PCPL.dll"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\dwm.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\gameux.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\redirection-vista.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\redirection-w7.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-vista.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-w7.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-w7basic.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-w7classic.reg"
C:\Windows\system32\reg.exe
"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\windhawk.reg"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ActionCenter.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ActionCenter.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\AltTab.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\AltTab.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ApplicationFrame.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ApplicationFrame.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\DUI70.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\DUI70.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\consent.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\consent.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\comctl32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\comctl32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\comctl32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\comctl32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\dwmcore.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\dwmcore.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\explorer.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\explorer.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\explorer.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\explorer.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ExplorerFrame.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ExplorerFrame.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ExplorerFrame.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ExplorerFrame.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\pnidui.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\pnidui.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\shell32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\shell32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\shell32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\shell32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\SndVolSSO.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\SndVolSSO.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\stobject.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\stobject.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ThemeUI.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ThemeUI.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\timedate.cpl"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\timedate.cpl"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.pcshell.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.pcshell.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\uDWM.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\uDWM.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\user32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\user32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\user32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\user32.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UXInit.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UXInit.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UxTheme.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UxTheme.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\van.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\van.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\Windows.Storage.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\Windows.Storage.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\Windows.Storage.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\Windows.Storage.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\winlogon.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\winlogon.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ntdll.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ntdll.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ntdll.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ntdll.dll"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\sndvol.exe"
C:\Windows\Revert8Plus\sym.exe
"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\sndvol.exe"
C:\ProgramData\Windhawk\Windhawk.exe
"C:\ProgramData\Windhawk\Windhawk.exe" -service
C:\Windows\system32\rundll32.exe
rundll32 C:\programdata\Windhawk\Engine\ModsWritable\OpenGlassDComp.dll,StartupService
C:\ProgramData\Windhawk\Windhawk.exe
"C:\ProgramData\Windhawk\Windhawk.exe" -tray-only
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cc855 /state1:0x41c64e6d
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000134 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000128 0000008c
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 0000008c
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 0000008c
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard57.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | 219.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.194.209.20.in-addr.arpa | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.116.33:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.116.33:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.117.33:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.116.33:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.117.33:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.194.1:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.209.117.33:443 | vsblobprodscussu5shard51.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard61.blob.core.windows.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\System.dll
| MD5 | 4add245d4ba34b04f213409bfe504c07 |
| SHA1 | ef756d6581d70e87d58cc4982e3f4d18e0ea5b09 |
| SHA256 | 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706 |
| SHA512 | 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d |
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\nsExec.dll
| MD5 | b4579bc396ace8cafd9e825ff63fe244 |
| SHA1 | 32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c |
| SHA256 | 01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b |
| SHA512 | 3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a |
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\Aero.dll
| MD5 | 0cb4305037fdbb31b1763beed3564f7f |
| SHA1 | b584fd7ebffc331b2a08c6c7c74ed1193f3fa22d |
| SHA256 | 4f8ac32dd2cca85f9a018eb6a29bf0405af41a725a8a6ff6a7429704feef8d7b |
| SHA512 | e85449f23ac1742b59fb5299737cfdc1c0aae79c0c247f47fcc7887c433d085087d23e7bb521b9f63e470772e0b5e1e3b3afb9b9244f12b425d43d5205a21a4c |
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\nsDialogs.dll
| MD5 | 1d8f01a83ddd259bc339902c1d33c8f1 |
| SHA1 | 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e |
| SHA256 | 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed |
| SHA512 | 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567 |
memory/2396-26-0x0000000002ED0000-0x0000000002F06000-memory.dmp
memory/2396-27-0x00000000058C0000-0x0000000005EEA000-memory.dmp
memory/2396-28-0x0000000006060000-0x0000000006082000-memory.dmp
memory/2396-29-0x0000000006100000-0x0000000006166000-memory.dmp
memory/2396-30-0x0000000006170000-0x00000000061D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fa2czqvs.ynm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2396-39-0x00000000061E0000-0x0000000006537000-memory.dmp
memory/2396-40-0x00000000066E0000-0x00000000066FE000-memory.dmp
memory/2396-41-0x0000000006720000-0x000000000676C000-memory.dmp
memory/2396-42-0x0000000006CC0000-0x0000000006CF4000-memory.dmp
memory/2396-43-0x0000000070A50000-0x0000000070A9C000-memory.dmp
memory/2396-52-0x00000000076B0000-0x00000000076CE000-memory.dmp
memory/2396-53-0x00000000078E0000-0x0000000007984000-memory.dmp
memory/2396-54-0x0000000008060000-0x00000000086DA000-memory.dmp
memory/2396-55-0x0000000007A20000-0x0000000007A3A000-memory.dmp
memory/2396-56-0x0000000007A90000-0x0000000007A9A000-memory.dmp
memory/2396-57-0x0000000007CC0000-0x0000000007D56000-memory.dmp
memory/2396-58-0x0000000007C30000-0x0000000007C41000-memory.dmp
memory/2396-59-0x0000000007C70000-0x0000000007C7E000-memory.dmp
memory/2396-60-0x0000000007C80000-0x0000000007C95000-memory.dmp
memory/2396-61-0x0000000007D80000-0x0000000007D9A000-memory.dmp
memory/2396-62-0x0000000007D60000-0x0000000007D68000-memory.dmp
C:\Windows\Revert8Plus\SoundSchemes\Delta\Desktop.ini
| MD5 | 794f1975f13b0fb6c554d96006237cad |
| SHA1 | 4a3989d06826b5e8ed30325e3a2527f62de6ae5d |
| SHA256 | b77586f906749b00246a8d8ce73e48ea42ac69355524afe3b1183e1ac6d8d201 |
| SHA512 | c4e91baea7b0621765c5da6254be846acef4f90570950e02c8ca733b255afc5ee1ec3378ef479c6bf22205a780d22c5b14b264b55f5f471c66dbce7b84d332b5 |
C:\Windows\Revert8Plus\Styles\W7Basic-Redstone\shell\NormalColor\en-US\shellstyle.dll.mui
| MD5 | 2f5484ed6bea507bf069407cd769c8c1 |
| SHA1 | 843e91796049be18ae8f5be66a152199de4d712e |
| SHA256 | 339869ea975c67deef8afdaa6638b72b825f5899141fe68861aa4afd74cd516f |
| SHA512 | 9dfb8ed01fd231687ad8f1fe6ead0aa7b39542d1ee86a63ff44bab8d50f535397115ef338feb25b45c9f8ac8da4dd816af03c201b2a2163a39b8e87524d06bca |
C:\Windows\Revert8Plus\Styles\W7Dark2-Redstone\shell\NormalColor\shellstyle.dll
| MD5 | 24216c145d6aaf56d8de25acb32b5416 |
| SHA1 | d4f8a4a60e4f38a7d1be3e499d606f18fd417045 |
| SHA256 | c9a11ffbdda45340a8f48740b6f562950e57bee0c05e10a8978d1a3b93380f82 |
| SHA512 | 01346babee37e3ec1df171a13fe5de008554dbb682c7a407852ded255378225328cde2f313de6e04f5113d486ff2f7efd2b88184b09fd9c3a40fb041f3f78a15 |
C:\Windows\Revert8Plus\R8PCPL.dll
| MD5 | 9bc0cbdd5ced816678151377a42e00cb |
| SHA1 | e04bdf76726e73f405b4dbf532c016640ab4d1f7 |
| SHA256 | fdf1cb7a110f91774cad71d8b3ff1ee97300f147b1d5c7ac4ff859aa00ee8129 |
| SHA512 | ad3d646679b8bf1465bc68edd0ac98a0f8460577153bfb77dea165c320ab41108c679ff8802bbf9c0ea4712bde8cc2a4f6b67e92a547db40bf97c0473dc7d2ad |
C:\Windows\Revert8Plus\Registry\dwm.reg
| MD5 | 084d6f8d6d84f6bae01e5fd19e3bab5f |
| SHA1 | 8c201fed61ddaac7397c479e61b9d71705486ebe |
| SHA256 | 01a2e20064c0dc81dfb2b521cb9fbd0172770ae5a4be15882fbb7b6b9024ab39 |
| SHA512 | edf5b96839ac3c8acdd86d0a6ce7c216938c1bb4c992d934d72b6842c0796c4a4add29d60ed42c2f840007e661302ae617cad8e84c50b4ce54704b0dd013cb99 |
C:\Windows\Revert8Plus\Registry\gameux.reg
| MD5 | 62dfef91a9940c3a27bb3afc4a5bf503 |
| SHA1 | 92230f525e36e83a80b76a2ab9516cc0c20303ba |
| SHA256 | 14b1a0a326034e9cc1c8e51d5a21742674cb98bce9156b2b71310c222697cfee |
| SHA512 | 6c51c7730e1bad54dfecb38e70c16dac2b9ff5cef91ce650544e02c98d07633999c0f7a95dd6648dfd632a493c55df3a94542162a21b8a4aff15c08ff6473a43 |
C:\Windows\Revert8Plus\Registry\redirection-vista.reg
| MD5 | 5e505435dc4a098c95a18c5e0b14dfb1 |
| SHA1 | f4dd63f5e877b440d54474c3bbce44bf0a13697f |
| SHA256 | 014a1e2cd005ccbba2aed41576180fe84d8eddca81f65ce5a5b798e9c2c59113 |
| SHA512 | df6c11996f3101f5434727cb11aa7a5e4bf5e8aaaeeaa5ea85b36dd6d89cf7fcfd8d30b4ad7e8c1fe5231bfcebf4afe4beb998c46aa6b01bc400cd956bb8914a |
C:\Windows\Revert8Plus\Registry\redirection-w7.reg
| MD5 | 0cc60dc4933463c382ca38c41a2ca3eb |
| SHA1 | 6c88399d35aaffcab1161a41239e16cd02c98eb9 |
| SHA256 | 274373cd8acd0a5359441581a0b3aa201aaf6a1d749ef1d21f1dadd55ff55535 |
| SHA512 | 1831dd415a5c11a02e79d76daf2261ab1a0b036b1f14345dd51c5d0106839c541af52d3b896382a3f5370b9d979563fb771669176a0cbd78bfeff8724e5bafa9 |
C:\Windows\Revert8Plus\Registry\sib-vista.reg
| MD5 | 8dbfa54c810f4a14808707d66dd5393c |
| SHA1 | 6b76560baa11cfdc17a70858fb8c5514d8aa5be1 |
| SHA256 | 3064ad7deb064ff74e9661c7f1f6cac69e9ccb7a47df9aceab08f8b6152eda65 |
| SHA512 | 5bac15d5f0efdbba3bf19cb7f6451323347425b4fbcaaddea0058a95a40b2b6183cc8a3c5d34cd32502f9ece544492c7d10e0c8693ca53e8389df6c1d953fa51 |
C:\Windows\Revert8Plus\Registry\sib-w7.reg
| MD5 | 58bd812a391d8e6b714e21a36c6c865f |
| SHA1 | 970c806b8f5166a8118fb58502a96b7e8f720bc8 |
| SHA256 | 3ce433616d9122698acb564136d326a0eebde754f55055c6a7b1343d0ab2cac7 |
| SHA512 | de46270e52ae391fff8b7c5efdec02eb8246fd1d6de8e8ad98b979c7159dba16c763affead11ed50024faa951dcebfca9950f12242ee05c5f0d75fc7e8d22f18 |
C:\Windows\Revert8Plus\Registry\sib-w7basic.reg
| MD5 | 5e7d57b25bd06fe5229edd612ed69717 |
| SHA1 | 4c79a5e063848f161c14f92cca8093e8227ff659 |
| SHA256 | 1b99af9870dcb0d5d5495296a95e0c1f39aefa31489b2800eb3ac687bd772c8b |
| SHA512 | 3a6dc479e5eef84d09ce73a2728a37c349deb689fdfd7b0f52e0fd28094e864132daa95172e2a1d5a9772671834dc064896bbb16e81059c3d1db439a7d706da9 |
C:\Windows\Revert8Plus\Registry\sib-w7classic.reg
| MD5 | daceeae7152ac7d010259e7f0ea10191 |
| SHA1 | 3e334d90da21f6dd721e6d0ea5a3c63f5000e2fd |
| SHA256 | 12461bc0333e57b101dfc9155963e54029331350da019da3438619854748bf3a |
| SHA512 | 612924353018270eeb18173dc8b416fa8c98a61710c9da1801102da9cc72e7d151625e0962738955ade74bbe20d31d1111ae77cd6e3a3cc387cac0466d9d7871 |
C:\Windows\Revert8Plus\Registry\windhawk.reg
| MD5 | d7b8bf5339a26e604bf4e3cebe0ff388 |
| SHA1 | e5d1d680159e61759aa731a4cb5758f97204c275 |
| SHA256 | 647b074d9681da3e507905c85863ab10844010b746ab09ec74e5ab96c20af2a5 |
| SHA512 | 55cb70db10c0cc82bf0800123c4aed967f07fdc9478c5b827c66a5a81d3bf44555f0f58c0507fe198f7329118af7e3b8c825b919f8b6362b44af4800fc4bfbc5 |
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\AccessControl.dll
| MD5 | d74bb4447af48da081c7d9b499f3a023 |
| SHA1 | dadf6e140e6fd8e49a1851cc144bb022e0adb185 |
| SHA256 | 5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52 |
| SHA512 | 9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758 |
C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\WorkFoldersControl.dll
| MD5 | 0b3671b005ac881485e2403317f6ecb4 |
| SHA1 | 59eafb7fc980821448dd0f1c91f4cc2368f41442 |
| SHA256 | 2bf8d40a495dba2825b1048cd75062602a719d95cb987582b639cdbc49c3ead5 |
| SHA512 | 142b60909f8725112c8434e3c04b41632a6098bbe06809938b08bcc5b4cb11ec48770d22c8594421edab5ae18705494e9fe93266630351e3d0ee30979ba8bb82 |
C:\Windows\Revert8Plus\Engine\Symbols\warning.txt
| MD5 | 4d1464c9e110731186b6c0cf91545869 |
| SHA1 | 3f4c55f1821f58081582439aad9502213fc2c691 |
| SHA256 | a7b4e19743c9c96ab15d1a5ede861301e6baccf426c6e7637c0b8bd0ba3f98b0 |
| SHA512 | f5b74abdcb0dfe0169f7464f8fb833fa804c7f3e4dea4ecd0a0a7a8e2f859bb20ca1afb9bd394b929f48adc76a88387f870d3a9fe5f3fd823029ac52876126b1 |
memory/3232-1326-0x00000000029A0000-0x0000000002ABC000-memory.dmp
C:\Windows\Revert8Plus\sym.exe
| MD5 | 31e6cde417b805fefaa58afd59715161 |
| SHA1 | 0d6202b37f0cb0534876099a5ed1426e4c0f1a0d |
| SHA256 | a3d83b63326cfcdc66a9e7078e8515732f198673652063a22498e96efbb597ef |
| SHA512 | 7fddc59eae04f0b211ce42e17261ef09301e697e005914ba86b5bc178ae2dae1218f17a4501144202feffcf74c80e34c0909cf5459a11422370d4c2e958f0df0 |
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\SimpleSC.dll
| MD5 | 7b89329c6d8693fb2f6a4330100490a0 |
| SHA1 | 851b605cdc1c390c4244db56659b6b9aa8abd22c |
| SHA256 | 1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d |
| SHA512 | ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a |
C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\SmartScreenSettings.exe.dll
| MD5 | 13942db88d8f74e67289130fdf16e1b9 |
| SHA1 | 8b66fb4ec6db6266a7ecc002027dba4ae00a5fc7 |
| SHA256 | 1cb61978c9f4901bb107254030560bbd3e890e504178af49ea292bc6807c3fa5 |
| SHA512 | 6b2fea11ed13d2140e7e0f16df7fa23c36eefdd7f0068bb19dd65d7a158754479aecae041843e8c862d5f73da787a0e4cf711e2df8dee2eae6d01ec3f1819e92 |
C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\ndadmin.exe.dll
| MD5 | fda58e7342584ef7b87e2c2823bcb385 |
| SHA1 | 51e843ee176ad7afcf6d418f62fff9f474a1a32f |
| SHA256 | 974895ed81cf6454a1c4474b720791800f0e4c42160a573bb4ed37c6ef13a0b0 |
| SHA512 | 580c53dd6f15e45b20f575e2a964bfbc43aa11a56536bc920c82f204821e11b40f656fa1b3d444a243ebccc784b73622f4a9eb92a0e17ac301a7fec2a49a42bd |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\python311.dll
| MD5 | d06da79bfd21bb355dc3e20e17d3776c |
| SHA1 | 610712e77f80d2507ffe85129bfeb1ff72fa38bf |
| SHA256 | 2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1 |
| SHA512 | e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\base_library.zip
| MD5 | 6e706e4fa21d90109df6fce1b2595155 |
| SHA1 | 5328dd26b361d36239facff79baca1bab426de68 |
| SHA256 | ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998 |
| SHA512 | c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34 |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_uuid.pyd
| MD5 | b21b864e357ccd72f35f2814bd1e6012 |
| SHA1 | 2ff0740c26137c6a81b96099c1f5209db33ac56a |
| SHA256 | ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53 |
| SHA512 | 29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_ssl.pyd
| MD5 | e5b1a076e9828985ea8ea07d22c6abd0 |
| SHA1 | 2a2827938a490cd847ea4e67e945deb4eef8cbb1 |
| SHA256 | 591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b |
| SHA512 | 0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_socket.pyd
| MD5 | 485d998a2de412206f04fa028fe6ba90 |
| SHA1 | 286e29d4f91a46171ba1e3c8229e6de94b499f1d |
| SHA256 | 8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76 |
| SHA512 | 68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_lzma.pyd
| MD5 | 3273720ddf2c5b75b072a1fb13476751 |
| SHA1 | 5fe0a4f98e471eb801a57b8c987f0feb1781ca8b |
| SHA256 | 663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948 |
| SHA512 | 919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_hashlib.pyd
| MD5 | ba682dfcdd600a4bb43a51a0d696a64c |
| SHA1 | df85ad909e9641f8fcaa0f8f5622c88d904e9e20 |
| SHA256 | 2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd |
| SHA512 | 79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636 |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_decimal.pyd
| MD5 | e4e032221aca4033f9d730f19dc3b21a |
| SHA1 | 584a3b4bc26a323ce268a64aad90c746731f9a48 |
| SHA256 | 23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c |
| SHA512 | 4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_bz2.pyd
| MD5 | 37eace4b806b32f829de08db3803b707 |
| SHA1 | 8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9 |
| SHA256 | 1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b |
| SHA512 | 1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\select.pyd
| MD5 | e07ae2f7f28305b81adfd256716ae8c6 |
| SHA1 | 9222cd34c14a116e7b9b70a82f72fc523ef2b2f6 |
| SHA256 | fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c |
| SHA512 | acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\libssl-3.dll
| MD5 | 19a2aba25456181d5fb572d88ac0e73e |
| SHA1 | 656ca8cdfc9c3a6379536e2027e93408851483db |
| SHA256 | 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006 |
| SHA512 | df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337 |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\unicodedata.pyd
| MD5 | 5cc36a5de45a2c16035ade016b4348eb |
| SHA1 | 35b159110e284b83b7065d2cff0b5ef4ccfa7bf1 |
| SHA256 | f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20 |
| SHA512 | 9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18322\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/3232-1923-0x00000000007C0000-0x00000000008DC000-memory.dmp
memory/944-1935-0x0000000001780000-0x0000000001781000-memory.dmp
memory/832-1933-0x0000000005DD0000-0x0000000005DD1000-memory.dmp
memory/816-1929-0x000000001F270000-0x000000001F271000-memory.dmp
memory/696-1927-0x0000000003F60000-0x0000000003F61000-memory.dmp
memory/640-1925-0x0000000008520000-0x0000000008521000-memory.dmp
memory/1004-1937-0x000000003C460000-0x000000003C461000-memory.dmp
memory/1120-1954-0x0000000011490000-0x0000000011491000-memory.dmp
memory/1104-1952-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/560-1948-0x0000000030450000-0x0000000030451000-memory.dmp
memory/472-1939-0x0000000018E00000-0x0000000018E01000-memory.dmp
memory/1028-1950-0x000000001BEB0000-0x000000001BEB1000-memory.dmp
memory/1324-1965-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/1216-1961-0x0000000026380000-0x0000000026381000-memory.dmp
memory/1164-1959-0x00000000226B0000-0x00000000226B1000-memory.dmp
memory/1148-1957-0x0000000033FD0000-0x0000000033FD1000-memory.dmp
memory/1288-1963-0x0000000012DC0000-0x0000000012DC1000-memory.dmp
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_472_local@r8p-w7basic-basic-themer
| MD5 | 74e06930e5cf93604723de1cc4ff9294 |
| SHA1 | a723ad0a12a68c5d654e560b99b5c3b95568e3d6 |
| SHA256 | 0330f7d59a2493099f64183a0252a1e6308dd4fb9bacabfb0ec7026f6605e12e |
| SHA512 | 52ead50e7efca4786ef6a3bad80792454c792464280ace788e98a38c04fa46bd50b4b4e3b0b88c5c75c84768d3b1c36574cd3426f18174d24111e4a3911f8ba8 |
memory/1436-1970-0x0000000027500000-0x0000000027501000-memory.dmp
memory/1488-1972-0x0000000003500000-0x0000000003501000-memory.dmp
memory/1692-1980-0x0000000010550000-0x0000000010551000-memory.dmp
memory/1656-1978-0x0000000010800000-0x0000000010801000-memory.dmp
memory/1588-1976-0x000000002DEE0000-0x000000002DEE1000-memory.dmp
memory/1572-1974-0x000000002B400000-0x000000002B401000-memory.dmp
memory/1960-1986-0x000000000D6B0000-0x000000000D6B1000-memory.dmp
memory/1792-1984-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/1768-1982-0x0000000021C40000-0x0000000021C41000-memory.dmp
memory/2036-1988-0x0000000039F50000-0x0000000039F51000-memory.dmp
memory/2044-1990-0x0000000016330000-0x0000000016331000-memory.dmp
memory/1904-1994-0x0000000037400000-0x0000000037401000-memory.dmp
memory/2108-1996-0x0000000001700000-0x0000000001701000-memory.dmp
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2648_local@r8p-vista-icon-resource-redirect
| MD5 | 47ce5cc8ef5037c47e8329747291f58d |
| SHA1 | 1ff2f19a228f7aa5963d330e573bdcec4d9f6f02 |
| SHA256 | cf776aa95e30b00d8de42b7ff73240c2e649b5c5ce4011e66ce00384beb01860 |
| SHA512 | c6c98899f30a74940db95820440038c7dd9ee9ec1adf47fa2690526737e693355a16a6e4ef5f3e5e94f49b97cc099accf76c12d44178b695a4939262f66cabaf |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2704_local@r8p-vista-icon-resource-redirect
| MD5 | 1d322b58ad45880eab1c25310f0de810 |
| SHA1 | c25a769b7028f1aaf4786737330b92cb59d2f50f |
| SHA256 | 52f9856bb2b529e49927c686d23ad1634244661767e407844bd3e9a5467fd853 |
| SHA512 | 3b3d5a4fdea0b443f62f68314585c7a523bcfabbf8233938edc3118dc827ff750ca88b686cc1bcf0021f02c4854ceb17f55f739e40526ae521e34f4b3384d201 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3148_local@r8p-vista-icon-resource-redirect
| MD5 | d998d0750215b4cd033fbc188b3ed9d2 |
| SHA1 | d594c4e4d2cb2fc641cd3316dc6ee80b72580a42 |
| SHA256 | 14f8c4fbf681f5d3e8fd82a4ce11e23fb84009305a728849cacfaa94a7d26eca |
| SHA512 | f15695c6c4815e68ff40912b7a8a5d0ba0722e7f8c7ea4c7440ed1b1560c539b2ab014272baf45ce606d406cb7533be6b603069ad99aa9ce52f09c7511bcc783 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3984_local@r8p-uifile-override
| MD5 | 3df4e77084d7b4a79705607b65cd2656 |
| SHA1 | c99333f9e1cd631056b94e6a9197c2e3682a28fb |
| SHA256 | 78cfefd5d7693e885c7ebb6a393e705a40360ec0cca6dce83acc2494066a4911 |
| SHA512 | fd219eac871b452f90b055ca5d53bcbd9bb61ff57ff5cf040287b5ef136506cd4d66e5894d2dedd86012cf613e654e84d617e2c7cfe8e9f02b856de00ab22991 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3232_local@r8p-vista-icon-resource-redirect
| MD5 | 08af8ae25b5f2dc50ab38462bd6ea886 |
| SHA1 | 5b36ac115e2493c17edd91ef40b5d17b509fa02a |
| SHA256 | 68eced46af34ce97d18052005a81282d09c6309bf305b7c2289add0d2f7359b4 |
| SHA512 | 6249a7d9088bcf10402f1a23d140a3f94ebac18e1364e218e3f25cfd93b9a97ef1c6569facad9a595c549e8f4852abe372e946d2f3cd3906daacfa21cd48fdca |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3356_local@r8p-uifile-override
| MD5 | b80e1ebba4bf2c77f0a236ab6a268a7b |
| SHA1 | a004be8b8777f644bbe65f6897840724e67379a9 |
| SHA256 | 294865f8297419983edf4cf2335641c9a0436ec621bb20e92ec1ecb753add7f6 |
| SHA512 | 53e82251f847f2c4ac4c9daa955072e9de072eb1b5748c79595fe1c2c2b99a2efeb4bc04e5edaff0780c2692365c38c82052ccc68a18bdfd9b81d321e365bf96 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_1672_local@r8p-vista-icon-resource-redirect
| MD5 | b998b95f9374f7836d6582dc6bf316ff |
| SHA1 | 791be035cbf6c706879625182f32d46a7fad3ad6 |
| SHA256 | 07dc662decee3bb8ce58a4bf3fc34152664288c3e64d76e63d6da4437fde5dbe |
| SHA512 | 612442e8f244a4a5d9aa2d57f1a66cca958a76b9344916b6a9bbc445a6090d372d3c2fab1ac6f4b0f94b84922f97a1784e672d2bdd8afaa3172b0e906dbde013 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2624_local@r8p-vista-icon-resource-redirect
| MD5 | 078f277de088948e2586e45f86e25217 |
| SHA1 | 0eb014f1eb984d89a51277f98e22a8855421c998 |
| SHA256 | 16f557e11021a8fbdb6a73cd8daa276375817d095445196d0fc7281920c9bf24 |
| SHA512 | 4aa8ef5d955fcde3d9d6130681051d1e9a3f61f47fdd7211874a9f025893465d6cc4b81b5f678c72e348be2e3bf0ed180645273970cec7917226fe5fb6a4adba |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_5100_local@r8p-vista-aerexplorer
| MD5 | 375218198b6f516a5e585c2223869533 |
| SHA1 | 59786939c3e3c865584a75c031a58271806a618f |
| SHA256 | 86b6c518c57ca13ee8af66c028cfc718e077da7bf0b1ca1c8326289e4a2b42e5 |
| SHA512 | 0fb3c5db0bffc6da75fe34c9dbd8b3080aac84cd67d559fc24895f97e15ddd7062b46f3e43f827ef273d1e3ceac2194fb346a0e881b9c8879da1b4d2241aa785 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_4736_local@r8p-vista-sib-config
| MD5 | adb0c2841eac9f16b57b33092035cace |
| SHA1 | 136d7adde425ab8b94dd0d7281b1e9efed52ac3e |
| SHA256 | 9012fcb710b287804543e19f8354ff3f0dcc85e95db7735a7105c49a9e236376 |
| SHA512 | a00e8f5975226fd41006c163449c8be059d9746e2fba9e4216e62a933155867a92d1687d86e2c648ee2f40c75c431b34629b65fc66f585d92b264aaff41ed327 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2304_local@r8p-vista-icon-resource-redirect
| MD5 | a6efba8a398206830ccc2af9d18abd06 |
| SHA1 | eed92b5d2cd22e437c5822963286b0c762fbe4a0 |
| SHA256 | b28224b97c811401c6539267eef9c5e4484ab6c12b120c5bd263e99151b90040 |
| SHA512 | 3b910e8da85b23bd9284fd997f3079b12b77baecb7bbc7868d669ed75825f017255b751a747d250e5fc4b11d4103cf1ff213290c08481d0ceea4fb99e7990e92 |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_1060_local@r8p-w7basic-dwm-unextend-frames
| MD5 | 2754b0d71e29a7894c5ba16ccaddadf0 |
| SHA1 | b9bd604f9f7878d8543ae62161a23b997a840bac |
| SHA256 | 2b407f86596931bb23f3d2c03c3c013c6366749cee52450d629db488048fcc9f |
| SHA512 | 5b861b0f8f94d0d40a871919c379641c23e1fdd20d3b5268c6a96769165a7b5413865dc5ce9f6714404da78bd008f69201f99d253191de658ccb248df285778f |
C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_4832_local@r8p-vista-icon-resource-redirect
| MD5 | f142390c58dcdff182ace07e3f9598ab |
| SHA1 | 36b158a5f004d9d4bc8238a227a5bc9b99f75f69 |
| SHA256 | f84b0ce448f2294bb1dff5f99a635e02733cec741d1571d8995e101e7e58eda3 |
| SHA512 | 1d83ff4e118f839737cad54d599ed38d16c8bb6d93873ea947090b6908ca887ca79d0fb4983e8adfef810f541eebeb748d77ddc96f58a95e1f70fd32c19dfeab |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | ffdeea82ba4a5a65585103dd2a922dfe |
| SHA1 | 094c3794503245cc7dfa9e222d3504f449a5400b |
| SHA256 | c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 |
| SHA512 | 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a |
C:\Windows\System32\perfc011.dat
| MD5 | 5afbd30597a275ad6d5e98187742c01b |
| SHA1 | 4e9a82a388532a0fcb3671047504384e040b48a1 |
| SHA256 | 26ee1d72642d1d79b307581e6027a259696d5e3299d9d6685153a68b8c58b61b |
| SHA512 | 6d2514d6a12809a7db4901b586b57e03b6e5b0cc4ecd1baeb4f5188ca033773f7ca077fa8e8beadcf82724fd16d9136c0fc252a0163b71a0ff0eae3363f2c0cf |
C:\Windows\System32\perfh007.dat
| MD5 | 3bd8043ff69087c78cf81f0aa082664f |
| SHA1 | c669871201f05f6153dfa3f6a78d4609d818568e |
| SHA256 | d1b8be34dfdff53435bcd3f176f7aa9f17aa8f1145c42edee1ed1eec9faf02b2 |
| SHA512 | a51d2bb5641aaff1ab091a1c331b6e515bb333d2dfa9f09662d35b2315e6fbd14932102167075cd8bdacf7c8f57fe7313f7b1639090070851c2ecf7662384d6d |
C:\Windows\System32\perfc007.dat
| MD5 | 6e71c59a539ba8c2d46c4c8f478edf8c |
| SHA1 | 868558341297d83b247f8be13b375541eb58b886 |
| SHA256 | 4e4e1300a939cc5d58d0c6914410d5ad8eaf876571011fa1c6f0ce27bf59822d |
| SHA512 | 1a86ab970d99430334ba14cc14d75cb902f267e9e15019afcb64400ec6e4335adae3687a5916ccfec5fd0c82c89bfeeac2aed0c6aad693f35e7326f8fb158f9e |
C:\Windows\System32\perfh00A.dat
| MD5 | ef8cce0162906b208cff1441fe71f927 |
| SHA1 | 7a3f2d0dcb39698a6ec9190ea69f2ea01d76935e |
| SHA256 | ba9df27d32c3fa43d6840146e28e5266908124efde25a4bf459d908c232a88a7 |
| SHA512 | 35b3dbb9f5cd8b30aa0a26fdb29c562ae65ab9823ba477f082960a19d354a68729008e3c0cfce2f8cce66f6f5bab9fed7d6cbe62628c7a751bc4770a4560f5e8 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6c65a113c1d1dcbc5f7603db0134dcb7 |
| SHA1 | 1eb93cc7aeb12860b63129a69b812b694748a816 |
| SHA256 | 53d617778c1ba174c22b47fd2d84035aa28c58bdcab6c3f3224f3777d1d8e7ee |
| SHA512 | 67c438c141f7d6509db1d0bb17b312b66be8947a623580cc49fcb3000f7e402dda856ab1d422a68bbb25392d00902fef2bd31ce9cc491769205cdd7b31edf605 |
C:\Windows\System32\perfh009.dat
| MD5 | efeeda97e31eb12669293d78feaff451 |
| SHA1 | f3680730a9ed165f49be4a2b1be8477196f15afb |
| SHA256 | a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834 |
| SHA512 | 452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2 |
C:\Windows\System32\perfc010.dat
| MD5 | 31f061dd23766fb40b15c9754bbc5a61 |
| SHA1 | 1d6e9a4b87576e771c2c2157919236195aacf4d8 |
| SHA256 | 2e69db7389943a3ed9aee54788510f229b1462c6281e2a3e54d8b7e83fa1a0df |
| SHA512 | 49af16e7d50be8025b3ecf6d4c965339ca4d4db29d3e606318c94f8f0e68d7914c57cb9ee78f5b8d35f5772c0b6e008b3196932785625019d28e6fe5d6ad7369 |
C:\Windows\System32\perfh011.dat
| MD5 | 33cbb4d0e471fd527da2ded235fe9636 |
| SHA1 | aa9d9b062511eb38a1faf9a740f8fb709b02a7dd |
| SHA256 | 73174de99ccd45c2a8d818742ed313a55321186162005c0f2567e162954943a5 |
| SHA512 | a4c17182347bc3c5cce76562f26b27ac62e84c8589dd91d2840a452b6c593656f3d3a2fd5b7f207f32be0f5a0494bc44987fb70e6e8f3a756a0703df20baa93f |
C:\Windows\System32\perfh010.dat
| MD5 | a583c28c05f94a635bd67fee2d905a27 |
| SHA1 | a4af858c69297cb8a59cade7da6e5a36b43e7548 |
| SHA256 | c70b892d93e93c37c826ba97459e8fb724e6c5cf6dc2288613430fc59c0c1eb0 |
| SHA512 | 06626f291b69e044e8e44fa46576c0287e4df434cd07b0bdb1b162fed25ddef652e5ad8d08d984f2d7d4c027c8ee032eef485f7269f0a83e11c1fa61f80a5d67 |
C:\Windows\System32\perfh00C.dat
| MD5 | f5fd5898bda4a68842ec6c6a9088adec |
| SHA1 | f974a58b258b438e79eb4bea3ae54a91f516a10a |
| SHA256 | e962a408ff9a789b92bc1429637cb30e00fc47bfa3b06a7fd7b22646e1f5b872 |
| SHA512 | 932e551597139b85b4faecfa9156e7e98d33b5dad4bd6f4c40504ced7b032c8fed223b81f056654a75c66a8326c51b28fef102ad55d5b224722f90c778b6ed98 |
C:\Windows\System32\perfc00C.dat
| MD5 | ac22e4ddfcafca323b25a78120008e1d |
| SHA1 | 1a22e811a017e48900633aaf28c8e3d0f647dcfb |
| SHA256 | 4ce9124ff763431485fd5dd8d2725f9baed086e9b94513f6ba7337ffe6f13308 |
| SHA512 | c1cd3db4455cd599ba8ce9e735a75622fdc6d7dca02409bdb1af00e2c47559191f64414a011bbfa11990eb7d0e67ec10edd8bdba9fdcb06ad3b4cb784f6d1bcf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\Shell\NormalColor\en-US\shellstyle.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\Shell\NormalColor\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\Shell\NormalColor\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
82s
Max time network
98s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
84s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
84s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\shell\NormalColor\shellstyle.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:53
Platform
win11-20241007-en
Max time kernel
150s
Max time network
97s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-29 08:48
Reported
2024-11-29 08:54
Platform
win11-20241007-en
Max time kernel
82s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\Shell\NormalColor\en-US\shellstyle.dll,#1